04/26/2022 11:04:45 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327446 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b28 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:04:46 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327450 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x293873 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:04:46 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327449 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x293873 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {52511141-247C-C05F-EA0B-18FD4B5373EF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 58185 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:04:46 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327448 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x293873 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:04:46 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327447 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16c8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:04:47 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327451 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x146c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:04:48 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327452 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x195c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:04:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327453 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x180c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:04:50 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327454 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:04:52 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327455 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x5f4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:05:45 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327456 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1be8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:05:46 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327460 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2978A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:05:46 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327459 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2978A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {52511141-247C-C05F-EA0B-18FD4B5373EF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 58198 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:05:46 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327458 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2978A6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:05:46 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327457 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a74 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:05:47 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327461 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1898 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:05:48 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327462 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19a4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:05:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327463 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe1c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:05:50 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327464 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:05:52 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327465 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x820 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:45 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327466 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13a4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:46 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327470 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x29B857 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:06:46 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327469 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x29B857 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {52511141-247C-C05F-EA0B-18FD4B5373EF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 58210 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:06:46 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327468 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x29B857 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:06:46 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327467 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a38 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:47 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327471 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x153c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:48 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327472 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a54 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327473 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:50 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327475 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ad8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:50 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327474 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x95AF8 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1aa4 New Process Name: C:\Windows\System32\auditpol.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: auditpol /get /category:* Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:06:52 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327476 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b14 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:20 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327478 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x29EF30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BAD096B-6E93-B4C2-9FF2-462F31817520} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 58218 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:07:20 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327477 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x29EF30 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:07:22 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327480 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-DC-CTUS-ATT$ Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x29F2EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D7FC2909-EEC8-72E8-5946-2D0168EFEC2A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:07:22 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327479 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-CTUS-ATT$ Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x29F2EB Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 04/26/2022 11:07:31 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327481 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x29EF30 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:07:45 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327482 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x186c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:46 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327486 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2A0CF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:07:46 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327485 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2A0CF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {52511141-247C-C05F-EA0B-18FD4B5373EF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56852 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:07:46 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327484 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2A0CF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:07:46 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327483 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xde8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:47 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327487 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x192c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:48 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327488 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7d8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327489 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x790 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:50 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327490 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x778 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:52 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327491 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x59c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:07:59 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327492 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x95AF8 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a64 New Process Name: C:\Windows\System32\mmc.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1230 Creator Process Name: C:\Windows\explorer.exe Process Command Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:08:02 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327495 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2A87EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:08:02 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327494 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2A87EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9D806D61-8FC4-BE7E-6586-4F00FD1DA1B6} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56857 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:02 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327493 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2A87EF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:03 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327498 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2A891B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:08:03 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327497 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2A891B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9D806D61-8FC4-BE7E-6586-4F00FD1DA1B6} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56859 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:03 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327496 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2A891B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:25 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327511 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAC98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:08:25 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327510 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAD86 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:08:25 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327509 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AADD4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:08:25 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327508 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2AAE60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7B7EF7D7-B137-F6AB-ADD4-38282B028CFB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::114f:69d5:55f4:442d Source Port: 56867 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:25 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327507 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAE60 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:25 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327506 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2AADD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1B865B52-F154-1B61-37EF-ADC1045836BF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56866 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:25 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327505 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AADD4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:25 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327504 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2AAD86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7B7EF7D7-B137-F6AB-ADD4-38282B028CFB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:25 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327503 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAD86 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:25 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327502 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2AAC98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1B865B52-F154-1B61-37EF-ADC1045836BF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::114f:69d5:55f4:442d Source Port: 56865 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:25 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327501 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAC98 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:25 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327500 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2AAC6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1B865B52-F154-1B61-37EF-ADC1045836BF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::114f:69d5:55f4:442d Source Port: 56864 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:25 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327499 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAC6F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:36 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327512 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAE60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:08:45 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327513 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x12b0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:08:46 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327517 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AD7A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:08:46 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327516 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2AD7A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {52511141-247C-C05F-EA0B-18FD4B5373EF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56874 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:08:46 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327515 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AD7A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:08:46 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327514 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb2c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:08:47 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327518 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:08:48 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327519 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:08:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327520 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1894 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:08:50 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327521 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x158c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:08:52 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327522 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13a4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:09:45 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327523 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ae8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:09:46 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327527 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2B2700 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:09:46 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327526 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2B2700 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {52511141-247C-C05F-EA0B-18FD4B5373EF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56887 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:09:46 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327525 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2B2700 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:09:46 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327524 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x183c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:09:47 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327528 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b00 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:09:48 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327529 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x9b8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:09:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327530 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc28 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:09:50 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327531 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x548 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:09:52 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327532 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1698 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:10:00 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327533 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2AAC6F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:10:32 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327534 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-CTUS-ATT$ Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x29F2EB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:10:45 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327535 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7d8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:10:46 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327539 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2B9B7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:10:46 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327538 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2B9B7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {52511141-247C-C05F-EA0B-18FD4B5373EF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 56901 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:10:46 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327537 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2B9B7C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:10:46 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327536 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x744 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:10:47 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327540 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x5f4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:10:48 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327541 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x59c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:10:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327543 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe18 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:10:49 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327542 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a5c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:10:52 AM LogName=Security EventCode=4688 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327544 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a74 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x594 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327574 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Logon Subcategory: Kerberos Authentication Service Subcategory GUID: {0CCE9242-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327573 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Logon Subcategory: Kerberos Service Ticket Operations Subcategory GUID: {0CCE9240-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327572 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Logon Subcategory: Credential Validation Subcategory GUID: {0CCE923F-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327571 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: DS Access Subcategory: Directory Service Access Subcategory GUID: {0CCE923B-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327570 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Management Subcategory: Security Group Management Subcategory GUID: {0CCE9237-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327569 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Management Subcategory: Computer Account Management Subcategory GUID: {0CCE9236-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327568 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Management Subcategory: User Account Management Subcategory GUID: {0CCE9235-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327567 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Policy Change Subcategory: Authentication Policy Change Subcategory GUID: {0CCE9230-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327566 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Policy Change Subcategory: Audit Policy Change Subcategory GUID: {0CCE922F-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327565 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Detailed Tracking Subcategory: Process Creation Subcategory GUID: {0CCE922B-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327564 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Other Object Access Events Subcategory GUID: {0CCE9227-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327563 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Network Policy Server Subcategory GUID: {0CCE9243-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327562 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Special Logon Subcategory GUID: {0CCE921B-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327561 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Account Lockout Subcategory GUID: {0CCE9217-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327560 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Logoff Subcategory GUID: {0CCE9216-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327559 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Logon Subcategory GUID: {0CCE9215-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327558 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: System Subcategory: Other System Events Subcategory GUID: {0CCE9214-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327557 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: System Subcategory: System Integrity Subcategory GUID: {0CCE9212-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4719 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327556 Keywords=Audit Success TaskCategory=Audit Policy Change OpCode=Info Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: System Subcategory: Security State Change Subcategory GUID: {0CCE9210-69AE-11D9-BED3-505054503030} Changes: Success removed 04/26/2022 11:11:14 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327555 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2BD014 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:11:14 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327554 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2BD111 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:11:14 AM LogName=Security EventCode=4634 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327553 Keywords=Audit Success TaskCategory=Logoff OpCode=Info Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2BD160 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 04/26/2022 11:11:14 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327552 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2BD242 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7B7EF7D7-B137-F6AB-ADD4-38282B028CFB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::114f:69d5:55f4:442d Source Port: 56909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:11:14 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327551 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2BD242 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:11:14 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327550 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2BD160 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1B865B52-F154-1B61-37EF-ADC1045836BF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 56908 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:11:14 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327549 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2BD160 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:11:14 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327548 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2BD111 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7B7EF7D7-B137-F6AB-ADD4-38282B028CFB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:11:14 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327547 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2BD111 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:11:14 AM LogName=Security EventCode=4624 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327546 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2BD014 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1B865B52-F154-1B61-37EF-ADC1045836BF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::114f:69d5:55f4:442d Source Port: 56907 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/26/2022 11:11:14 AM LogName=Security EventCode=4672 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327545 Keywords=Audit Success TaskCategory=Special Logon OpCode=Info Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-CTUS-ATT$ Account Domain: ATTACKRANGE Logon ID: 0x2BD014 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 04/26/2022 11:12:05 AM LogName=Security EventCode=4699 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327575 Keywords=Audit Success TaskCategory=Other Object Access Events OpCode=Info Message=A scheduled task was deleted. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x95AF8 Task Information: Task Name: \MyTaskname Task Content: 04/26/2022 11:12:09 AM LogName=Security EventCode=4698 EventType=0 ComputerName=win-dc-ctus-attack-range-54.attackrange.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=327576 Keywords=Audit Success TaskCategory=Other Object Access Events OpCode=Info Message=A scheduled task was created. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x95AF8 Task Information: Task Name: \MyTaskname Task Content: 2022-04-26T10:49:31 ATTACKRANGE\administrator \MyTaskname ATTACKRANGE\Administrator InteractiveToken LeastPrivilege true true true IgnoreNew PT10M PT1H true false 2022-04-26T00:00:00 1 %~dp0\MyBatch.bat